Using client-side redirect to HTTPS

Rule from ssl under security category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base



Suggest an edit

Cancel

This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content



 

HTTPS/SSL allows you to encrypt traffic and keep content users receive a secret.

But when the initial request to the site does not simply redirect and opens a page. That content could be exposed to prying eyes, and secrets leaked like passwords.

Using client-side redirections are fine for simple redirects but using it to switch between plain text and secure is a huge security problem.

Some browsers might not even support Javascript or contain security settings that disallow changing the url on the client-side. This would cause those users to use the plain text website exposing them to various privacy issues online.

These redirects (apart from the security issues) are also not cachable by the browsers.

How do I fix this?

Update the servers to use server-side status codes 301 or 302 to redirect.

Resources

Browse another section of the knowledge base



Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started